There is a slightly sneaky way to get openldap to support any crypt the
native OS will support with the {CRYPT} option. Change the openldap
option password-crypt-salt-format.
On my servers the value is set to "$6$%.8s" which gives the result of using
sha512 (one of several sha2 choices). This trick will depend on which
choices are built into your native OS crypt function. In theory look at the
crypt(5) man page to find this information. We've been doing this locally
for probably a decade and it works well.
On Thu, Mar 18, 2021 at 9:59 AM Dario García Díaz-Miguel <dgdiaz(a)gmv.com>
wrote:
Hello,
We have a question related with the pw-sha2 module.
We have deployed OpenLDAP2.4.46-9.31.1 on SLES15 SP2 from the official
Suse Repository and we are able to use {CRYPT} {MD5} {SMD5} {SSHA} and
{SHA}.
We are awared that in order to support SHA-256 we have to load the contrib
module named pw-sha2 which it was included on SLES12SP5 but is totally
missing on SLES15SP2 package. This means that we would need to compile it,
but due to limitations of the project we are working on we are not allowed
to compile anything external.
So I checked the changelog and I found that support was added on 2.4.32
release.
Is it possible that the openldap2 package could have been compiled with
the module features itself and I just need to add some kind of attribute or
entry to my LDAP directory in order to enable it?
We have tried to use Apache Directory Studio instead of slappasswd and we
have set up a password to SHA256 but the bind won't work. Instead,
CRYPT-SHA256 works so I can't figure out why.
I suppose I'm totally misunderstanding this and the compilation of the
module is required, but a little light ray of hope is there.
Thank you so much.
Regards.
P Please consider the environment before printing this e-mail.
--
Dale James Thompson, NWS
NEXRAD Radar Operations Center
IT Specialist, Configuration Management Team
Voice (405) 573-3472
Fax (405) 573-3480
Dale.J.Thompson(a)noaa.gov